Round function

About: Round function is a research topic. Over the lifetime, 203 publications have been published within this topic receiving 2794 citations.

Leakage-resilient pseudorandom functions and side-channel attacks on Feistel networks

Abstract: A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded. In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom functions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakage-resilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a "step" will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4ċ(n+1)r-2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary.

Practical Security Evaluation against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function

Abstract: This paper studies the upper bounds of the maximum differential and linear characteristic probabilities of Feistel ciphers with SPN round function. In the same way as for SPN ciphers, we consider the minimum number of differential and linear active s-boxes, which provides a measure of the upper bounds of these probabilities, in order to evaluate the security against differential and linear cryptanalyses. The purpose of this work is to clarify the (lower bound of) minimum numbers of active s-boxes in some consecutive rounds of Feistel ciphers, i.e., in three, four, six, eight, and twelve consecutive rounds, using differential and linear branch numbers Pd, Pl, respectively. Furthermore, we investigate the necessary condition for desirable P-functions, which means that the round functions are invulnerable to both differential and linear cryptanalyses. As an example, we show the round function of Camellia, which satisfies the condition.

Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis

Abstract: To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible bya high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis

Abstract: To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

An Enciphering Scheme Based on a Card Shuffle

Abstract: We introduce the swap-or-not shuffle and show that the technique gives rise to a new method to convert a pseudorandom function PRF into a pseudorandom permutation PRP or, alternatively, to directly build a confusion/diffusion blockcipher. We then prove that swap-or-not has excellent quantitative security bounds, giving a Luby-Rackoff type result that ensures security assuming an ideal round function to a number of adversarial queries that is nearly the size of the construction's domain. Swap-or-not provides a direct solution for building a small-domain cipher and achieving format-preserving encryption, yielding the best bounds known for a practical scheme for enciphering credit-card numbers. The analysis of swap-or-not is based on the theory of mixing times of Markov chains.